Secure Password, Exposed Username: Still Recipe for Disaster

In each of the recent attacks on Evernote, Facebook, and Twitter, the companies involved were quick to point out that passwords remained secure. But user information has a life of its own, and the effects of an attack on an individual can be felt long after the attack is over.

In each of the recent attacks on Evernote, Facebook, Twitter and others, the companies involved were quick to point out that passwords remained secure. But user information has a life of its own, and the effects of an attack on an individual can be felt long after the attack is over.

The Attacks We've Seen Typically what you hear when a major company has been compromised is something along the lines of how payment information is still secure, passwords were encrypted, but other information was accessible. Usually, this includes usernames and emails.

To most of us, that might not seem dangerous. After all, we give out our own emails all the time—we even post them online. But there are risks for users who've had even this small amount of information exposed.

Derek Halliday, senior product manager at Lookout mobile security explained to SecurityWatch how these bits of information can make users targets. "Account information can be used to potentially enable spearphishing because it provides some unique contextual information about people – a way to contact them," he said. "And the fact that they have at one point in time signed up for a particular service."

This is why legitimate alert emails frequently remind users who may have had their information exposed that no one will ever ask for their password. If a hacker knows you use Evernote (for example), it's short work to create a message that appears to be from Evernote and send to the email address you use to manage your account. Perhaps it will prompt you to provide your password, or payment information, or maybe trick you into clicking a malicious link.

"We've seen cyber criminals who are willing to engage in the 'long con,'" said Mark Risher, the co-founder and CEO of Impermium. "A multi-step attack that goes beyond the direct pilfering of sensitive data."

"When criminals break into a social network account, they can often find personal details that add legitimacy to a spearphishing," continued Risher, who cited an alumni association as one such personal detail. He explained that could be used to unlock the "secret question" feature—which sometimes asks what your school mascot was, or the name of your first pet—on another website.

The Worst Case Chester Wisniewski, senior security advisor at Sophos, said that even though Evernote and other recently compromised websites secured their passwords with cryptographic hashes and random "salt" data, not all users might be protected. He explained that if users choose weak or common passwords, "then the criminals probably have it."

With the limited information available, the easier passwords might be still be retrieved. "Criminals are going to hash the really easy ones, and may not bother with the rest," said Wisniewski.

For some of the bad guys, simply gaining access to social media accounts like Facebook or Twitter is enough. Some utilize it as an opportunity to make money, by attempting to spread malware infections. More enterprising attackers may try to use the pilfered password to unlock a webmail account.

"They often look for mail from the user's bank; oftentimes there's an 'I forgot my password' feature at that bank which relies solely on having access to the email account," said Risher.

Continuing in the worst case scenario, the attackers might not be done once they've gained access to online banking information. "A lot of these guys aren't going to directly engage in the identity theft, they'll sell it off," said Wisniewski.

He went on to explain that in the case of banking trojans, attackers will use the top 10 percent of the accounts—that is, the ones with the most available funds—and sell the other 90 percent of the information. This means that user information, once compromised, can continue to be used and reused until the owner finally regains control.

Keep Yourself Safe "The good news in all of the recent ones is that nothing personally identifiable was taken," said Wisniewski, who stressed several times that the affected companies at least appeared to have taken good steps to secure user information.

But as we've seen, that's not always enough. Users need to heed warnings to change passwords when prompted by hacked services. They should also strive to select strong and unique passwords for every online service, perhaps utilizing a password manager to make the task easier.

What's important to understand is that user information is valuable, and can still be useful to attackers long after you've secured one affected account. The Internet provides numerous ways to have fun and work, but it also provides just as many avenues for attack.

About the Author

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.